From ca7d5065562b90210374fb2cf9c08c400879d8e1 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 31 May 2022 14:43:23 +0200 Subject: [PATCH 01/19] Use PSA PAKE API when MBEDTLS_USE_PSA_CRYPTO is selected Signed-off-by: Neil Armstrong Signed-off-by: Valerio Setti --- library/ssl_misc.h | 9 +- library/ssl_tls.c | 131 ++++++++++++++++++++++++ library/ssl_tls12_client.c | 195 +++++++++++++++++++++++++++++++++++- library/ssl_tls12_server.c | 197 ++++++++++++++++++++++++++++++++++++- 4 files changed, 527 insertions(+), 5 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 41bb9c514..8b9624350 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -50,7 +50,8 @@ #include "mbedtls/sha512.h" #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + !defined(MBEDTLS_USE_PSA_CRYPTO) #include "mbedtls/ecjpake.h" #endif @@ -663,7 +664,13 @@ struct mbedtls_ssl_handshake_params #endif /* MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_operation_t psa_pake_ctx; /*!< EC J-PAKE key exchange */ + mbedtls_svc_key_id_t psa_pake_password; + uint8_t psa_pake_ctx_is_ok; +#else mbedtls_ecjpake_context ecjpake_ctx; /*!< EC J-PAKE key exchange */ +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) unsigned char *ecjpake_cache; /*!< Cache for ClientHello ext */ size_t ecjpake_cache_len; /*!< Length of cached data */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5200d9044..ebada7a39 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -668,7 +668,12 @@ static void ssl_handshake_params_init( mbedtls_ssl_handshake_params *handshake ) mbedtls_ecdh_init( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + handshake->psa_pake_ctx = psa_pake_operation_init(); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_init( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) handshake->ecjpake_cache = NULL; handshake->ecjpake_cache_len = 0; @@ -1615,11 +1620,75 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_pake_role_t psa_role; + psa_status_t status; +#else mbedtls_ecjpake_role role; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) + psa_role = PSA_PAKE_ROLE_SERVER; + else + psa_role = PSA_PAKE_ROLE_CLIENT; + + + if( pw_len > 0 ) + { + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); + psa_pake_cs_set_primitive( &cipher_suite, + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, + PSA_ECC_FAMILY_SECP_R1, + 256) ); + psa_pake_cs_set_hash( &cipher_suite, PSA_ALG_SHA_256 ); + + status = psa_pake_setup( &ssl->handshake->psa_pake_ctx, &cipher_suite ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_set_role( &ssl->handshake->psa_pake_ctx, psa_role ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + if( pw_len > 0 ) + { + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } + + ssl->handshake->psa_pake_ctx_is_ok = 1; + + return( 0 ); +#else if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else @@ -1630,6 +1699,7 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3665,7 +3735,13 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_pake_abort( &handshake->psa_pake_ctx ); + psa_destroy_key( handshake->psa_pake_password ); + handshake->psa_pake_password = MBEDTLS_SVC_KEY_ID_INIT; +#else mbedtls_ecjpake_free( &handshake->ecjpake_ctx ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_CLI_C) mbedtls_free( handshake->ecjpake_cache ); handshake->ecjpake_cache = NULL; @@ -5879,6 +5955,55 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, else #endif { +#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) + if( handshake->ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) + { + psa_status_t status; + psa_algorithm_t alg = PSA_ALG_TLS12_ECJPAKE_TO_PMS; + psa_key_derivation_operation_t derivation = + PSA_KEY_DERIVATION_OPERATION_INIT; + + MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PMS KDF for ECJPAKE" ) ); + + handshake->pmslen = PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE; + + status = psa_key_derivation_setup( &derivation, alg ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + + status = psa_key_derivation_set_capacity( &derivation, + PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_pake_get_implicit_key( &handshake->psa_pake_ctx, + &derivation ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_output_bytes( &derivation, + handshake->premaster, + handshake->pmslen ); + if( status != PSA_SUCCESS ) + { + psa_key_derivation_abort( &derivation ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + + status = psa_key_derivation_abort( &derivation ); + if( status != PSA_SUCCESS ) + { + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + } + } +#endif ret = handshake->tls_prf( handshake->premaster, handshake->pmslen, lbl, seed, seed_len, master, @@ -5917,6 +6042,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } + /* Compute master secret if needed */ ret = ssl_compute_master( ssl->handshake, ssl->session_negotiate->master, @@ -8620,8 +8746,13 @@ int mbedtls_ssl_validate_ciphersuite( #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && defined(MBEDTLS_SSL_CLI_C) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && + ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( suite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE && mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { return( -1 ); } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 5360b3cb7..3d25e4003 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -130,15 +130,24 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, const unsigned char *end, size_t *olen ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; size_t kkpp_len; *olen = 0; /* Skip costly extension if we can't use EC J-PAKE anyway */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) + return( 0 ); +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_SSL_DEBUG_MSG( 3, ( "client hello, adding ecjpake_kkpp extension" ) ); @@ -158,6 +167,43 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, { MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(p + 2 + output_offset) = 65; + } else { + *(p + 2 + output_offset) = 32; + } + output_offset += 1; + + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, p + 2 + output_offset, + end - p - output_offset - 2, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + kkpp_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -167,6 +213,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, "mbedtls_ecjpake_write_round_one", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ ssl->handshake->ecjpake_cache = mbedtls_calloc( 1, kkpp_len ); if( ssl->handshake->ecjpake_cache == NULL ) @@ -849,10 +896,11 @@ static int ssl_parse_supported_point_formats_ext( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -876,6 +924,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake->ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) @@ -889,6 +940,52 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache = NULL; ssl->handshake->ecjpake_cache_len = 0; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_error; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_error; + } + + input_offset += length; + } + } + + return( 0 ); + +psa_pake_error: + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -901,6 +998,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } return( 0 ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2296,6 +2394,61 @@ start_processing: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; + size_t len = end - p; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + if( step == PSA_PAKE_STEP_KEY_SHARE ) + { + /* Length is stored after 3bytes curve */ + length = p[input_offset + 3]; + input_offset += 3 + 1; + } + else + { + /* Length is stored at the first byte */ + length = p[input_offset]; + input_offset += 1; + } + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + goto psa_pake_out; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + p + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_out; + } + + input_offset += length; + } + +psa_pake_out: + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -2307,6 +2460,7 @@ start_processing: MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); return( MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -3235,6 +3389,42 @@ ecdh_calc_secret: { header_len = 4; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + header_len; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + header_len; + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(out_p + output_offset) = 65; + } else { + *(out_p + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, out_p + output_offset, + end_p - out_p - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + content_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, MBEDTLS_SSL_OUT_CONTENT_LEN - header_len, @@ -3254,6 +3444,7 @@ ecdh_calc_secret: MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_RSA_ENABLED */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 71f703c7f..68b4d0988 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -268,10 +268,11 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, ssl->handshake->ecdh_ctx.point_format = p[0]; #endif /* !MBEDTLS_USE_PSA_CRYPTO && ( MBEDTLS_ECDH_C || MBEDTLS_ECDSA_C ) */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) +#if !defined(MBEDTLS_USE_PSA_CRYPTO) && \ + defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_ecjpake_set_point_format( &ssl->handshake->ecjpake_ctx, p[0] ); -#endif +#endif /* !MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ MBEDTLS_SSL_DEBUG_MSG( 4, ( "point format selected: %d", p[0] ) ); return( 0 ); } @@ -292,13 +293,52 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) + if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) +#else if( mbedtls_ecjpake_check( &ssl->handshake->ecjpake_ctx ) != 0 ) +#endif /* MBEDTLS_USE_PSA_CRYPTO */ { MBEDTLS_SSL_DEBUG_MSG( 3, ( "skip ecjpake kkpp extension" ) ); return( 0 ); } +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_error; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_error; + } + + input_offset += length; + } + } +#else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) { @@ -307,11 +347,26 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, MBEDTLS_SSL_ALERT_MSG_ILLEGAL_PARAMETER ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Only mark the extension as OK when we're sure it is */ ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; return( 0 ); + +#if defined(MBEDTLS_USE_PSA_CRYPTO) +psa_pake_error: + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + + return( ret ); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -1973,7 +2028,11 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + psa_status_t status; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t kkpp_len; @@ -1996,6 +2055,42 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( MBEDTLS_TLS_EXT_ECJPAKE_KKPP, p, 0 ); p += 2; +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(p + 2 + output_offset) = 65; + } else { + *(p + 2 + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, p + 2 + output_offset, + end - p - output_offset - 2, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return; + } + + output_offset += output_len; + } + } + + kkpp_len = output_offset; +#else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, ssl->conf->f_rng, ssl->conf->p_rng ); @@ -2004,6 +2099,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_RET( 1 , "mbedtls_ecjpake_write_round_one", ret ); return; } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ MBEDTLS_PUT_UINT16_BE( kkpp_len, p, 0 ); p += 2; @@ -2807,6 +2903,61 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + unsigned char *out_p = ssl->out_msg + ssl->out_msglen; + unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - + ssl->out_msglen; + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + size_t ec_len; + +#if !defined(MBEDTLS_ECJPAKE_ALT) + psa_pake_operation_t* pake_op = &(ssl->handshake->psa_pake_ctx); + + mbedtls_ecp_tls_write_group( &(pake_op->ctx.ecjpake.grp), + &ec_len, out_p + output_offset, + end_p - out_p); +#else + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; + + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p + 1, 0 ); + ec_len = 3; +#endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE + output_offset += ec_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(out_p + output_offset) = 65; + } else { + *(out_p + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( &ssl->handshake->psa_pake_ctx, + step, out_p + output_offset, + end_p - out_p - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + ssl->out_msglen += output_offset; +#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; @@ -2822,6 +2973,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } ssl->out_msglen += len; +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -4039,6 +4191,46 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { +#if defined(MBEDTLS_USE_PSA_CRYPTO) + size_t len = end - p; + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = p[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + goto psa_pake_out; + } + + status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, + p + input_offset, length ); + if( status != PSA_SUCCESS) + { + ret = psa_ssl_status_to_mbedtls( status ); + goto psa_pake_out; + } + + input_offset += length; + } + +psa_pake_out: + if( ret != 0 ) + { + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round two", ret ); + return( ret ); + } +#else ret = mbedtls_ecjpake_read_round_two( &ssl->handshake->ecjpake_ctx, p, end - p ); if( ret != 0 ) @@ -4055,6 +4247,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) MBEDTLS_SSL_DEBUG_RET( 1, "mbedtls_ecjpake_derive_secret", ret ); return( ret ); } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ } else #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ From e2977b690187ff848b1a0f26db6c35f5620104c8 Mon Sep 17 00:00:00 2001 From: Neil Armstrong Date: Tue, 13 Sep 2022 14:30:57 +0200 Subject: [PATCH 02/19] Remove TLS 1.2 exception about EC J-PAKE and PSA Crypto Signed-off-by: Neil Armstrong --- docs/use-psa-crypto.md | 1 - 1 file changed, 1 deletion(-) diff --git a/docs/use-psa-crypto.md b/docs/use-psa-crypto.md index b22d37f65..11442ed66 100644 --- a/docs/use-psa-crypto.md +++ b/docs/use-psa-crypto.md @@ -86,7 +86,6 @@ is enabled, no change required on the application side. Current exceptions: -- EC J-PAKE (when `MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED` is defined) - finite-field (non-EC) Diffie-Hellman (used in key exchanges: DHE-RSA, DHE-PSK) From 9f0ec53c4c876c02dd75f89c3c0ab0eb7917d560 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 8 Nov 2022 13:03:24 +0100 Subject: [PATCH 03/19] add a test for EC-JPAKE compatibility in TLS1.2 This is to ensure that the MbedTLS based implementation of EC-JPAKE is compatible with the PSA crypto one Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 25 +++++++++++++++++++++++++ 1 file changed, 25 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9295c9d00..b2af01c38 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1437,6 +1437,31 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { tests/ssl-opt.sh -f "TLS 1.2" } +# We're not aware of any other (open source) implementation of EC J-PAKE in TLS +# that we could use for interop testing. However, we now have sort of two +# implementations ourselves: one using PSA, the other not. At least test that +# these two interoperate with each other. +component_test_tls1_2_ecjpake_compatibility() { + msg "build: TLS1.2 server+client w/ EC-JPAKE w/o USE_PSA" + scripts/config.py set MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + make -C programs ssl/ssl_server2 ssl/ssl_client2 + cp programs/ssl/ssl_server2 s2_no_use_psa + cp programs/ssl/ssl_client2 c2_no_use_psa + + msg "build: TLS1.2 server+client w/ EC-JPAKE w/ USE_PSA" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + make clean + make -C programs ssl/ssl_server2 ssl/ssl_client2 + make -C programs test/udp_proxy test/query_compile_time_config + + msg "test: server w/o USE_PSA - client w/ USE_PSA" + P_SRV=../s2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + msg "test: client w/o USE_PSA - server w/ USE_PSA" + P_CLI=../c2_no_use_psa tests/ssl-opt.sh -f ECJPAKE + + rm s2_no_use_psa c2_no_use_psa +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 02c25b5f83f6f607007133b1f49931fe7c2630f5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Nov 2022 14:08:42 +0100 Subject: [PATCH 04/19] tls12: psa_pake: use common code for parsing/writing round one and round two data Share a common parsing code for both server and client for parsing round one and two. Signed-off-by: Valerio Setti --- library/ssl_misc.h | 212 +++++++++++++++++++++++++++++++++++++ library/ssl_tls.c | 22 ++-- library/ssl_tls12_client.c | 179 +++++-------------------------- library/ssl_tls12_server.c | 125 +++++----------------- 4 files changed, 279 insertions(+), 259 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 8b9624350..d4ce35c5a 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2364,6 +2364,218 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) } #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +/** + * \brief Parse the provided input buffer for getting the first round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_parse_ecjpake_round_one( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len ) +{ + psa_status_t status; + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1; x <= 2; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + return( 0 ); +} + +/** + * \brief Parse the provided input buffer for getting the second round + * of key exchange. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [in] input buffer to parse + * \param len [in] length of the input buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_parse_ecjpake_round_two( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, int role ) +{ + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + /* + * On its 2nd round, the server sends 3 extra bytes which identify the + * curve. Therefore we should skip them only on the client side + */ + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + ( role == MBEDTLS_SSL_IS_CLIENT ) ) + { + /* Length is stored after the 3 bytes for the curve */ + length = buf[input_offset + 3]; + input_offset += 3 + 1; + } + else + { + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + } + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + + return( 0 ); +} + +/** + * \brief Write the first round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_write_ecjpake_round_one( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(buf + output_offset) = 65; + } else { + *(buf + output_offset) = 32; + } + output_offset += 1; + + status = psa_pake_output( pake_ctx, step, + buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + *olen = output_offset; + + return( 0 ); +} + +/** + * \brief Write the second round of key exchange into the provided output + * buffer. This code is common between server and client + * + * \param pake_ctx [in] the PAKE's operation/context structure + * \param buf [out] the output buffer in which data will be written to + * \param len [in] length of the output buffer + * \param olen [out] the length of the data really written on the buffer + * + * \return 0 on success or a negative error code in case of failure + */ +static inline int psa_tls12_write_ecjpake_round_two( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + if (step != PSA_PAKE_STEP_ZK_PROOF) { + *(buf + output_offset) = 65; + } else { + *(buf + output_offset) = 32; + } + output_offset += 1; + status = psa_pake_output( pake_ctx, + step, buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + /** * \brief TLS record protection modes */ diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ebada7a39..8771c595b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1616,23 +1616,19 @@ void mbedtls_ssl_set_verify( mbedtls_ssl_context *ssl, /* * Set EC J-PAKE password for current handshake */ +#if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, const unsigned char *pw, size_t pw_len ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_pake_cipher_suite_t cipher_suite = psa_pake_cipher_suite_init(); psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_pake_role_t psa_role; psa_status_t status; -#else - mbedtls_ecjpake_role role; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake == NULL || ssl->conf == NULL ) return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) psa_role = PSA_PAKE_ROLE_SERVER; else @@ -1688,7 +1684,17 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, ssl->handshake->psa_pake_ctx_is_ok = 1; return( 0 ); -#else +} +#else /* MBEDTLS_USE_PSA_CRYPTO */ +int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, + const unsigned char *pw, + size_t pw_len ) +{ + mbedtls_ecjpake_role role; + + if( ssl->handshake == NULL || ssl->conf == NULL ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); + if( ssl->conf->endpoint == MBEDTLS_SSL_IS_SERVER ) role = MBEDTLS_ECJPAKE_SERVER; else @@ -1699,8 +1705,8 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, MBEDTLS_MD_SHA256, MBEDTLS_ECP_DP_SECP256R1, pw, pw_len ) ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } +#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) @@ -3734,6 +3740,7 @@ void mbedtls_ssl_handshake_free( mbedtls_ssl_context *ssl ) #if !defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ECDH_C) mbedtls_ecdh_free( &handshake->ecdh_ctx ); #endif + #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_pake_abort( &handshake->psa_pake_ctx ); @@ -6042,7 +6049,6 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( ret ); } - /* Compute master secret if needed */ ret = ssl_compute_master( ssl->handshake, ssl->session_negotiate->master, diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 3d25e4003..c90ed2e46 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -130,13 +130,9 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, const unsigned char *end, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; - size_t kkpp_len; + size_t kkpp_len = 0; *olen = 0; @@ -168,41 +164,15 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + ret = psa_tls12_write_ecjpake_round_one(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len ); + if ( ret != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(p + 2 + output_offset) = 65; - } else { - *(p + 2 + output_offset) = 32; - } - output_offset += 1; - - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, p + 2 + output_offset, - end - p - output_offset - 2, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } - - kkpp_len = output_offset; #else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, @@ -924,9 +894,6 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, size_t len ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if( ssl->handshake->ciphersuite_info->key_exchange != MBEDTLS_KEY_EXCHANGE_ECJPAKE ) @@ -941,50 +908,21 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + if( ( ret = psa_tls12_parse_ecjpake_round_one( + &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_error; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_error; - } - - input_offset += length; - } + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); + return( ret ); } return( 0 ); - -psa_pake_error: - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - - MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - - return( ret ); #else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, buf, len ) ) != 0 ) @@ -2395,48 +2333,9 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; - size_t len = end - p; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - if( step == PSA_PAKE_STEP_KEY_SHARE ) - { - /* Length is stored after 3bytes curve */ - length = p[input_offset + 3]; - input_offset += 3 + 1; - } - else - { - /* Length is stored at the first byte */ - length = p[input_offset]; - input_offset += 1; - } - - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - goto psa_pake_out; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - p + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_out; - } - - input_offset += length; - } - -psa_pake_out: - if( ret != 0 ) + if( ( ret = psa_tls12_parse_ecjpake_round_two( + &ssl->handshake->psa_pake_ctx, p, end - p, + ssl->conf->endpoint ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -3393,37 +3292,15 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) + ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len ); + if ( ret != 0 ) { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(out_p + output_offset) = 65; - } else { - *(out_p + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, out_p + output_offset, - end_p - out_p - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } - - content_len = output_offset; #else ret = mbedtls_ecjpake_write_round_two( &ssl->handshake->ecjpake_ctx, ssl->out_msg + header_len, diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 68b4d0988..806efd21b 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -290,12 +290,9 @@ static int ssl_parse_supported_point_formats( mbedtls_ssl_context *ssl, MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, const unsigned char *buf, - size_t len ) + size_t len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ssl->handshake->psa_pake_ctx_is_ok != 1 ) @@ -308,35 +305,19 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + if ( ( ret = psa_tls12_parse_ecjpake_round_one( + &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_error; - } + MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); + mbedtls_ssl_send_alert_message( + ssl, + MBEDTLS_SSL_ALERT_LEVEL_FATAL, + MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_error; - } - - input_offset += length; - } + return( ret ); } #else if( ( ret = mbedtls_ecjpake_read_round_one( &ssl->handshake->ecjpake_ctx, @@ -353,20 +334,6 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->cli_exts |= MBEDTLS_TLS_EXT_ECJPAKE_KKPP_OK; return( 0 ); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -psa_pake_error: - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - - MBEDTLS_SSL_DEBUG_RET( 1, "psa_pake_input round one", ret ); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE ); - - return( ret ); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -2903,13 +2870,13 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_USE_PSA_CRYPTO) unsigned char *out_p = ssl->out_msg + ssl->out_msglen; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - ssl->out_msglen; - psa_status_t status; size_t output_offset = 0; - size_t output_len; + size_t output_len = 0; size_t ec_len; #if !defined(MBEDTLS_ECJPAKE_ALT) @@ -2931,34 +2898,20 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, #endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE output_offset += ec_len; - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) + ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + out_p + output_offset, + end_p - out_p - output_offset, &output_len ); + if( ret != 0 ) { - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(out_p + output_offset) = 65; - } else { - *(out_p + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, out_p + output_offset, - end_p - out_p - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return( ret ); } + output_offset += output_len; ssl->out_msglen += output_offset; #else - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t len = 0; ret = mbedtls_ecjpake_write_round_two( @@ -4192,37 +4145,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t len = end - p; - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = p[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - ret = MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - goto psa_pake_out; - } - - status = psa_pake_input( &ssl->handshake->psa_pake_ctx, step, - p + input_offset, length ); - if( status != PSA_SUCCESS) - { - ret = psa_ssl_status_to_mbedtls( status ); - goto psa_pake_out; - } - - input_offset += length; - } - -psa_pake_out: - if( ret != 0 ) + if( ( ret = psa_tls12_parse_ecjpake_round_two( + &ssl->handshake->psa_pake_ctx, p, end - p, + ssl->conf->endpoint ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From fbbc1f3812cd13ccf86c2e8d090f62ef6a27705a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 15 Nov 2022 16:39:55 +0100 Subject: [PATCH 05/19] tls12: psa_pake: use proper defines for the output size of each step in ECJPAKE Signed-off-by: Valerio Setti --- library/ssl_misc.h | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d4ce35c5a..34879a18c 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2366,6 +2366,18 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) + +/* Currently JPAKE only supports elliptic curve secp256r1 */ +#define MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE \ + PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, \ + PSA_ECC_FAMILY_SECP_R1, 256 ) + +/* Expected output data size for each "step" of EC-JPAKE key echange */ +#define MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ) \ + PSA_PAKE_OUTPUT_SIZE( PSA_ALG_JPAKE, \ + MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ + step ) + /** * \brief Parse the provided input buffer for getting the first round * of key exchange. This code is common between server and client @@ -2376,7 +2388,7 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_one( +static inline int psa_tls12_parse_ecjpake_round_one( psa_pake_operation_t *pake_ctx, const unsigned char *buf, size_t len ) @@ -2502,11 +2514,7 @@ static inline int psa_tls12_write_ecjpake_round_one( ++step ) { /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(buf + output_offset) = 65; - } else { - *(buf + output_offset) = 32; - } + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); output_offset += 1; status = psa_pake_output( pake_ctx, step, @@ -2552,11 +2560,7 @@ static inline int psa_tls12_write_ecjpake_round_two( ++step ) { /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(buf + output_offset) = 65; - } else { - *(buf + output_offset) = 32; - } + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); output_offset += 1; status = psa_pake_output( pake_ctx, step, buf + output_offset, From 4a9caaa0c9cae90d5cc4a7e08f92752698cee6cc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 16 Nov 2022 08:17:09 +0100 Subject: [PATCH 06/19] tls12: psa_pake: check elliptic curve's TLS ID on handshake Signed-off-by: Valerio Setti --- library/ssl_misc.h | 27 ++++++++++++++++----------- 1 file changed, 16 insertions(+), 11 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 34879a18c..807e7811d 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2452,22 +2452,27 @@ static inline int psa_tls12_parse_ecjpake_round_two( /* * On its 2nd round, the server sends 3 extra bytes which identify the - * curve. Therefore we should skip them only on the client side + * curve: + * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE + * - the 2nd and 3rd represent curve's TLS ID + * Validate this data before moving forward */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && ( role == MBEDTLS_SSL_IS_CLIENT ) ) { - /* Length is stored after the 3 bytes for the curve */ - length = buf[input_offset + 3]; - input_offset += 3 + 1; - } - else - { - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; + uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); + + if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + input_offset += 3; } + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + if( input_offset + length > len ) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; From 6f1b5741ae239433414b772adb06e8515c1bd353 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 16 Nov 2022 10:00:32 +0100 Subject: [PATCH 07/19] tls12: psa_pake: simplify EC info parsing in server's 2nd round Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 32 +++++++++++++++----------------- 1 file changed, 15 insertions(+), 17 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 806efd21b..38899f952 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -2877,26 +2877,24 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, ssl->out_msglen; size_t output_offset = 0; size_t output_len = 0; - size_t ec_len; - -#if !defined(MBEDTLS_ECJPAKE_ALT) - psa_pake_operation_t* pake_op = &(ssl->handshake->psa_pake_ctx); - - mbedtls_ecp_tls_write_group( &(pake_op->ctx.ecjpake.grp), - &ec_len, out_p + output_offset, - end_p - out_p); -#else const mbedtls_ecp_curve_info *curve_info; - if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we hardcode its + * TLS ID here + */ + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; - - MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p + 1, 0 ); - ec_len = 3; -#endif //MBEDTLS_PSA_BUILTIN_ALG_JPAKE - output_offset += ec_len; + MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); + output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, out_p + output_offset, From a08b1a40a0ff0a69fa7114280f3b1e31772466ee Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 15:10:02 +0100 Subject: [PATCH 08/19] tls: psa_pake: move move key exchange read/write functions to ssl_tls.c Inlined functions might cause the compiled code to have different sizes depending on the usage and this not acceptable in some cases. Therefore read/write functions used in the initial key exchange are moved to a standard C file. Signed-off-by: Valerio Setti --- library/ssl_misc.h | 159 ++--------------------------------- library/ssl_tls.c | 167 +++++++++++++++++++++++++++++++++++++ library/ssl_tls12_client.c | 8 +- library/ssl_tls12_server.c | 6 +- 4 files changed, 182 insertions(+), 158 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 807e7811d..d022721a7 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2388,43 +2388,10 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_one( +int mbedtls_psa_ecjpake_read_round_one( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ) -{ - psa_status_t status; - size_t input_offset = 0; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1; x <= 2; ++x ) - { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; - step <= PSA_PAKE_STEP_ZK_PROOF; - ++step ) - { - /* Length is stored at the first byte */ - size_t length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - } - - return( 0 ); -} + size_t len ); /** * \brief Parse the provided input buffer for getting the second round @@ -2436,60 +2403,10 @@ static inline int psa_tls12_parse_ecjpake_round_one( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_parse_ecjpake_round_two( +int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len, int role ) -{ - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - /* - * On its 2nd round, the server sends 3 extra bytes which identify the - * curve: - * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE - * - the 2nd and 3rd represent curve's TLS ID - * Validate this data before moving forward - */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && - ( role == MBEDTLS_SSL_IS_CLIENT ) ) - { - uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); - - if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || - ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - input_offset += 3; - } - - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - - return( 0 ); -} + size_t len, int role ); /** * \brief Write the first round of key exchange into the provided output @@ -2502,43 +2419,10 @@ static inline int psa_tls12_parse_ecjpake_round_two( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_write_ecjpake_round_one( +int mbedtls_psa_ecjpake_write_round_one( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) - { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - - status = psa_pake_output( pake_ctx, step, - buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - } - - *olen = output_offset; - - return( 0 ); -} + size_t len, size_t *olen ); /** * \brief Write the second round of key exchange into the provided output @@ -2551,38 +2435,11 @@ static inline int psa_tls12_write_ecjpake_round_one( * * \return 0 on success or a negative error code in case of failure */ -static inline int psa_tls12_write_ecjpake_round_two( +int mbedtls_psa_ecjpake_write_round_two( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; + size_t len, size_t *olen ); - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - status = psa_pake_output( pake_ctx, - step, buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - - *olen = output_offset; - - return( 0 ); -} #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO /** diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8771c595b..35262cb88 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8194,6 +8194,173 @@ end: return( ret ); } +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ + defined(MBEDTLS_USE_PSA_CRYPTO) +int mbedtls_psa_ecjpake_read_round_one( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len ) +{ + psa_status_t status; + size_t input_offset = 0; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1; x <= 2; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; + ++step ) + { + /* Length is stored at the first byte */ + size_t length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + } + + return( 0 ); +} + +int mbedtls_psa_ecjpake_read_round_two( + psa_pake_operation_t *pake_ctx, + const unsigned char *buf, + size_t len, int role ) +{ + psa_status_t status; + size_t input_offset = 0; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + size_t length; + + /* + * On its 2nd round, the server sends 3 extra bytes which identify the + * curve: + * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE + * - the 2nd and 3rd represent curve's TLS ID + * Validate this data before moving forward + */ + if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && + ( role == MBEDTLS_SSL_IS_CLIENT ) ) + { + uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); + + if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + input_offset += 3; + } + + /* Length is stored at the first byte */ + length = buf[input_offset]; + input_offset += 1; + + if( input_offset + length > len ) + { + return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + } + + status = psa_pake_input( pake_ctx, step, + buf + input_offset, length ); + if( status != PSA_SUCCESS) + { + return psa_ssl_status_to_mbedtls( status ); + } + + input_offset += length; + } + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round_one( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ + for( unsigned int x = 1 ; x <= 2 ; ++x ) + { + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); + output_offset += 1; + + status = psa_pake_output( pake_ctx, step, + buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + } + + *olen = output_offset; + + return( 0 ); +} + +int mbedtls_psa_ecjpake_write_round_two( + psa_pake_operation_t *pake_ctx, + unsigned char *buf, + size_t len, size_t *olen ) +{ + psa_status_t status; + size_t output_offset = 0; + size_t output_len; + + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; + step <= PSA_PAKE_STEP_ZK_PROOF ; + ++step ) + { + /* For each step, prepend 1 byte with the length of the data */ + *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); + output_offset += 1; + status = psa_pake_output( pake_ctx, + step, buf + output_offset, + len - output_offset, + &output_len ); + if( status != PSA_SUCCESS ) + { + return( psa_ssl_status_to_mbedtls( status ) ); + } + + output_offset += output_len; + } + + *olen = output_offset; + + return( 0 ); +} +#endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO + #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_get_key_exchange_md_tls1_2( mbedtls_ssl_context *ssl, unsigned char *hash, size_t *hashlen, diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index c90ed2e46..4e986d1df 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -164,7 +164,7 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = psa_tls12_write_ecjpake_round_one(&ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_one(&ssl->handshake->psa_pake_ctx, p + 2, end - p - 2, &kkpp_len ); if ( ret != 0 ) { @@ -908,7 +908,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_one( + if( ( ret = mbedtls_psa_ecjpake_read_round_one( &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2333,7 +2333,7 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_two( + if( ( ret = mbedtls_psa_ecjpake_read_round_two( &ssl->handshake->psa_pake_ctx, p, end - p, ssl->conf->endpoint ) ) != 0 ) { @@ -3292,7 +3292,7 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, out_p, end_p - out_p, &content_len ); if ( ret != 0 ) { diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 38899f952..f5c50ea67 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,7 +305,7 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = psa_tls12_parse_ecjpake_round_one( + if ( ( ret = mbedtls_psa_ecjpake_read_round_one( &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2896,7 +2896,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); - ret = psa_tls12_write_ecjpake_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, out_p + output_offset, end_p - out_p - output_offset, &output_len ); if( ret != 0 ) @@ -4143,7 +4143,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = psa_tls12_parse_ecjpake_round_two( + if( ( ret = mbedtls_psa_ecjpake_read_round_two( &ssl->handshake->psa_pake_ctx, p, end - p, ssl->conf->endpoint ) ) != 0 ) { From a98836476782db7fc3883b02c25707fe3da2cd3a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 15:34:59 +0100 Subject: [PATCH 09/19] tls: psa_pake: fix missing new round one parsing function on tls12 server Signed-off-by: Valerio Setti --- library/ssl_tls12_server.c | 43 +++++++------------------------------- 1 file changed, 7 insertions(+), 36 deletions(-) diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index f5c50ea67..2e480636a 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -1995,11 +1995,7 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, unsigned char *buf, size_t *olen ) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status; -#else int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *p = buf; const unsigned char *end = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN; size_t kkpp_len; @@ -2023,40 +2019,15 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, p += 2; #if defined(MBEDTLS_USE_PSA_CRYPTO) - size_t output_offset = 0; - size_t output_len; - - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + ret = mbedtls_psa_ecjpake_write_round_one( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len ); + if ( ret != 0 ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - if (step != PSA_PAKE_STEP_ZK_PROOF) { - *(p + 2 + output_offset) = 65; - } else { - *(p + 2 + output_offset) = 32; - } - output_offset += 1; - status = psa_pake_output( &ssl->handshake->psa_pake_ctx, - step, p + 2 + output_offset, - end - p - output_offset - 2, - &output_len ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", status ); - return; - } - - output_offset += output_len; - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + MBEDTLS_SSL_DEBUG_RET( 1 , "psa_pake_output", ret ); + return; } - - kkpp_len = output_offset; #else ret = mbedtls_ecjpake_write_round_one( &ssl->handshake->ecjpake_ctx, p + 2, end - p - 2, &kkpp_len, From 30ebe11f869ef6c04396e77bc091ca2d31a45c17 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 16:23:34 +0100 Subject: [PATCH 10/19] tls: psa_pake: add a check on read size on both rounds Signed-off-by: Valerio Setti --- library/ssl_tls.c | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 35262cb88..06a5ec53d 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8231,6 +8231,9 @@ int mbedtls_psa_ecjpake_read_round_one( } } + if ( input_offset != len ) + return PSA_ERROR_INVALID_ARGUMENT; + return( 0 ); } @@ -8286,6 +8289,9 @@ int mbedtls_psa_ecjpake_read_round_two( input_offset += length; } + if ( input_offset != len ) + return PSA_ERROR_INVALID_ARGUMENT; + return( 0 ); } From 9bed8ec5d85536275ca32b0cd6bb738612ea98e6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 16:36:19 +0100 Subject: [PATCH 11/19] tls: psa_pake: make round two reading function symmatric to the writing one Signed-off-by: Valerio Setti --- library/ssl_misc.h | 3 +-- library/ssl_tls.c | 21 +-------------------- library/ssl_tls12_client.c | 26 ++++++++++++++++++++++++-- library/ssl_tls12_server.c | 3 +-- 4 files changed, 27 insertions(+), 26 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index d022721a7..82a951a58 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2405,8 +2405,7 @@ int mbedtls_psa_ecjpake_read_round_one( */ int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len, int role ); + const unsigned char *buf, size_t len ); /** * \brief Write the first round of key exchange into the provided output diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 06a5ec53d..ae12c7ebd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8240,7 +8240,7 @@ int mbedtls_psa_ecjpake_read_round_one( int mbedtls_psa_ecjpake_read_round_two( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len, int role ) + size_t len ) { psa_status_t status; size_t input_offset = 0; @@ -8251,25 +8251,6 @@ int mbedtls_psa_ecjpake_read_round_two( { size_t length; - /* - * On its 2nd round, the server sends 3 extra bytes which identify the - * curve: - * - the 1st one is MBEDTLS_ECP_TLS_NAMED_CURVE - * - the 2nd and 3rd represent curve's TLS ID - * Validate this data before moving forward - */ - if( ( step == PSA_PAKE_STEP_KEY_SHARE ) && - ( role == MBEDTLS_SSL_IS_CLIENT ) ) - { - uint16_t tls_id = MBEDTLS_GET_UINT16_BE( buf, 1 ); - - if( ( *buf != MBEDTLS_ECP_TLS_NAMED_CURVE ) || - ( mbedtls_ecp_curve_info_from_tls_id( tls_id ) == NULL ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); - - input_offset += 3; - } - /* Length is stored at the first byte */ length = buf[input_offset]; input_offset += 1; diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 4e986d1df..6dd8ef50f 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2333,9 +2333,31 @@ start_processing: if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) + /* + * The first 3 bytes are: + * [0] MBEDTLS_ECP_TLS_NAMED_CURVE + * [1, 2] elliptic curve's TLS ID + * + * However since we only support secp256r1 for now, we check only + * that TLS ID here + */ + uint16_t read_tls_id = MBEDTLS_GET_UINT16_BE( p, 1 ); + const mbedtls_ecp_curve_info *curve_info; + + if( ( curve_info = mbedtls_ecp_curve_info_from_grp_id( + MBEDTLS_ECP_DP_SECP256R1 ) ) == NULL ) + { + return( MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE ); + } + + if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || + ( read_tls_id != curve_info->tls_id ) ) + return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + + p += 3; + if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 2e480636a..3bc7217b7 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -4115,8 +4115,7 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p, - ssl->conf->endpoint ) ) != 0 ) + &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From 6b3dab03b5f0c3fe42ebfb83cf171192c08dd88f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 17:14:54 +0100 Subject: [PATCH 12/19] tls: psa_pake: use a single function for round one and two in key exchange read/write Signed-off-by: Valerio Setti --- library/ssl_misc.h | 48 +++++------------- library/ssl_tls.c | 101 +++++++------------------------------ library/ssl_tls12_client.c | 20 +++++--- library/ssl_tls12_server.c | 20 +++++--- 4 files changed, 57 insertions(+), 132 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 82a951a58..0f43a18f4 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2378,6 +2378,11 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ step ) +typedef enum { + MBEDTLS_ECJPAKE_ROUND_ONE, + MBEDTLS_ECJPAKE_ROUND_TWO +} mbedtls_ecjpake_rounds_t; + /** * \brief Parse the provided input buffer for getting the first round * of key exchange. This code is common between server and client @@ -2385,27 +2390,15 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) * \param pake_ctx [in] the PAKE's operation/context structure * \param buf [in] input buffer to parse * \param len [in] length of the input buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO * * \return 0 on success or a negative error code in case of failure */ -int mbedtls_psa_ecjpake_read_round_one( +int mbedtls_psa_ecjpake_read_round( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ); - -/** - * \brief Parse the provided input buffer for getting the second round - * of key exchange. This code is common between server and client - * - * \param pake_ctx [in] the PAKE's operation/context structure - * \param buf [in] input buffer to parse - * \param len [in] length of the input buffer - * - * \return 0 on success or a negative error code in case of failure - */ -int mbedtls_psa_ecjpake_read_round_two( - psa_pake_operation_t *pake_ctx, - const unsigned char *buf, size_t len ); + size_t len, mbedtls_ecjpake_rounds_t round ); /** * \brief Write the first round of key exchange into the provided output @@ -2415,29 +2408,16 @@ int mbedtls_psa_ecjpake_read_round_two( * \param buf [out] the output buffer in which data will be written to * \param len [in] length of the output buffer * \param olen [out] the length of the data really written on the buffer + * \param round [in] either MBEDTLS_ECJPAKE_ROUND_ONE or + * MBEDTLS_ECJPAKE_ROUND_TWO * * \return 0 on success or a negative error code in case of failure */ -int mbedtls_psa_ecjpake_write_round_one( +int mbedtls_psa_ecjpake_write_round( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ); - -/** - * \brief Write the second round of key exchange into the provided output - * buffer. This code is common between server and client - * - * \param pake_ctx [in] the PAKE's operation/context structure - * \param buf [out] the output buffer in which data will be written to - * \param len [in] length of the output buffer - * \param olen [out] the length of the data really written on the buffer - * - * \return 0 on success or a negative error code in case of failure - */ -int mbedtls_psa_ecjpake_write_round_two( - psa_pake_operation_t *pake_ctx, - unsigned char *buf, - size_t len, size_t *olen ); + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ); #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO diff --git a/library/ssl_tls.c b/library/ssl_tls.c index ae12c7ebd..a1fa8697b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8196,16 +8196,20 @@ end: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) -int mbedtls_psa_ecjpake_read_round_one( +int mbedtls_psa_ecjpake_read_round( psa_pake_operation_t *pake_ctx, const unsigned char *buf, - size_t len ) + size_t len, mbedtls_ecjpake_rounds_t round ) { psa_status_t status; size_t input_offset = 0; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1; x <= 2; ++x ) + for( ; remaining_steps > 0; remaining_steps-- ) { for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; step <= PSA_PAKE_STEP_ZK_PROOF; @@ -8237,59 +8241,25 @@ int mbedtls_psa_ecjpake_read_round_one( return( 0 ); } -int mbedtls_psa_ecjpake_read_round_two( - psa_pake_operation_t *pake_ctx, - const unsigned char *buf, - size_t len ) -{ - psa_status_t status; - size_t input_offset = 0; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - size_t length; - - /* Length is stored at the first byte */ - length = buf[input_offset]; - input_offset += 1; - - if( input_offset + length > len ) - { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; - } - - status = psa_pake_input( pake_ctx, step, - buf + input_offset, length ); - if( status != PSA_SUCCESS) - { - return psa_ssl_status_to_mbedtls( status ); - } - - input_offset += length; - } - - if ( input_offset != len ) - return PSA_ERROR_INVALID_ARGUMENT; - - return( 0 ); -} - -int mbedtls_psa_ecjpake_write_round_one( +int mbedtls_psa_ecjpake_write_round( psa_pake_operation_t *pake_ctx, unsigned char *buf, - size_t len, size_t *olen ) + size_t len, size_t *olen, + mbedtls_ecjpake_rounds_t round ) { psa_status_t status; size_t output_offset = 0; size_t output_len; + /* + * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice + * At round two perform a single cycle + */ + unsigned int remaining_steps = ( round == MBEDTLS_ECJPAKE_ROUND_ONE) ? 2 : 1; - /* Repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice */ - for( unsigned int x = 1 ; x <= 2 ; ++x ) + for( ; remaining_steps > 0; remaining_steps-- ) { - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; + for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE; + step <= PSA_PAKE_STEP_ZK_PROOF; ++step ) { /* For each step, prepend 1 byte with the length of the data */ @@ -8313,39 +8283,6 @@ int mbedtls_psa_ecjpake_write_round_one( return( 0 ); } - -int mbedtls_psa_ecjpake_write_round_two( - psa_pake_operation_t *pake_ctx, - unsigned char *buf, - size_t len, size_t *olen ) -{ - psa_status_t status; - size_t output_offset = 0; - size_t output_len; - - for( psa_pake_step_t step = PSA_PAKE_STEP_KEY_SHARE ; - step <= PSA_PAKE_STEP_ZK_PROOF ; - ++step ) - { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - status = psa_pake_output( pake_ctx, - step, buf + output_offset, - len - output_offset, - &output_len ); - if( status != PSA_SUCCESS ) - { - return( psa_ssl_status_to_mbedtls( status ) ); - } - - output_offset += output_len; - } - - *olen = output_offset; - - return( 0 ); -} #endif //MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO #if defined(MBEDTLS_USE_PSA_CRYPTO) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 6dd8ef50f..8fcf5a4f5 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -164,8 +164,9 @@ static int ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_MSG( 3, ( "generating new ecjpake parameters" ) ); #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_psa_ecjpake_write_round_one(&ssl->handshake->psa_pake_ctx, - p + 2, end - p - 2, &kkpp_len ); + ret = mbedtls_psa_ecjpake_write_round(&ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -908,8 +909,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, ssl->handshake->ecjpake_cache_len = 0; #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = mbedtls_psa_ecjpake_read_round_one( - &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -2356,8 +2358,9 @@ start_processing: p += 3; - if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -3314,8 +3317,9 @@ ecdh_calc_secret: unsigned char *out_p = ssl->out_msg + header_len; unsigned char *end_p = ssl->out_msg + MBEDTLS_SSL_OUT_CONTENT_LEN - header_len; - ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, - out_p, end_p - out_p, &content_len ); + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + out_p, end_p - out_p, &content_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index 3bc7217b7..e6dee49c1 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,8 +305,9 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = mbedtls_psa_ecjpake_read_round_one( - &ssl->handshake->psa_pake_ctx, buf, len ) ) != 0 ) + if ( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, + MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); @@ -2019,8 +2020,9 @@ static void ssl_write_ecjpake_kkpp_ext( mbedtls_ssl_context *ssl, p += 2; #if defined(MBEDTLS_USE_PSA_CRYPTO) - ret = mbedtls_psa_ecjpake_write_round_one( &ssl->handshake->psa_pake_ctx, - p + 2, end - p - 2, &kkpp_len ); + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, + p + 2, end - p - 2, &kkpp_len, + MBEDTLS_ECJPAKE_ROUND_ONE ); if ( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2867,9 +2869,10 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); - ret = mbedtls_psa_ecjpake_write_round_two( &ssl->handshake->psa_pake_ctx, + ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, out_p + output_offset, - end_p - out_p - output_offset, &output_len ); + end_p - out_p - output_offset, &output_len, + MBEDTLS_ECJPAKE_ROUND_TWO ); if( ret != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -4114,8 +4117,9 @@ static int ssl_parse_client_key_exchange( mbedtls_ssl_context *ssl ) if( ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECJPAKE ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( ( ret = mbedtls_psa_ecjpake_read_round_two( - &ssl->handshake->psa_pake_ctx, p, end - p ) ) != 0 ) + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, p, end - p, + MBEDTLS_ECJPAKE_ROUND_TWO ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); psa_pake_abort( &ssl->handshake->psa_pake_ctx ); From 819de86895383292f26ae83619f20eb853a00a75 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 18:05:19 +0100 Subject: [PATCH 13/19] tls: removed extra white spaces and other minor fix Signed-off-by: Valerio Setti --- library/ssl_tls.c | 6 +++--- library/ssl_tls12_server.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index a1fa8697b..fa415a894 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8203,7 +8203,7 @@ int mbedtls_psa_ecjpake_read_round( { psa_status_t status; size_t input_offset = 0; - /* + /* * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice * At round two perform a single cycle */ @@ -8235,7 +8235,7 @@ int mbedtls_psa_ecjpake_read_round( } } - if ( input_offset != len ) + if( input_offset != len ) return PSA_ERROR_INVALID_ARGUMENT; return( 0 ); @@ -8250,7 +8250,7 @@ int mbedtls_psa_ecjpake_write_round( psa_status_t status; size_t output_offset = 0; size_t output_len; - /* + /* * At round one repeat the KEY_SHARE, ZK_PUBLIC & ZF_PROOF twice * At round two perform a single cycle */ diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index e6dee49c1..1e9e51b30 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -305,8 +305,8 @@ static int ssl_parse_ecjpake_kkpp( mbedtls_ssl_context *ssl, } #if defined(MBEDTLS_USE_PSA_CRYPTO) - if ( ( ret = mbedtls_psa_ecjpake_read_round( - &ssl->handshake->psa_pake_ctx, buf, len, + if( ( ret = mbedtls_psa_ecjpake_read_round( + &ssl->handshake->psa_pake_ctx, buf, len, MBEDTLS_ECJPAKE_ROUND_ONE ) ) != 0 ) { psa_destroy_key( ssl->handshake->psa_pake_password ); @@ -2867,7 +2867,7 @@ static int ssl_prepare_server_key_exchange( mbedtls_ssl_context *ssl, } *out_p = MBEDTLS_ECP_TLS_NAMED_CURVE; MBEDTLS_PUT_UINT16_BE( curve_info->tls_id, out_p, 1 ); - output_offset += sizeof( uint8_t ) + sizeof( uint16_t ); + output_offset += 3; ret = mbedtls_psa_ecjpake_write_round( &ssl->handshake->psa_pake_ctx, out_p + output_offset, From aca21b717c26407f146f2bcf7ee7241854209639 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 17 Nov 2022 18:17:01 +0100 Subject: [PATCH 14/19] tls: psa_pake: enforce not empty passwords Signed-off-by: Valerio Setti --- include/mbedtls/ecjpake.h | 2 +- include/mbedtls/ssl.h | 3 ++- library/ssl_tls.c | 35 ++++++++++++++++------------------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/include/mbedtls/ecjpake.h b/include/mbedtls/ecjpake.h index e7ca1b235..3dd3361a1 100644 --- a/include/mbedtls/ecjpake.h +++ b/include/mbedtls/ecjpake.h @@ -113,7 +113,7 @@ void mbedtls_ecjpake_init( mbedtls_ecjpake_context *ctx ); * \param curve The identifier of the elliptic curve to use, * for example #MBEDTLS_ECP_DP_SECP256R1. * \param secret The pre-shared secret (passphrase). This must be - * a readable buffer of length \p len Bytes. It need + * a readable not empty buffer of length \p len Bytes. It need * only be valid for the duration of this call. * \param len The length of the pre-shared secret \p secret. * diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 01ede4088..085235721 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -3824,9 +3824,10 @@ void mbedtls_ssl_conf_sni( mbedtls_ssl_config *conf, * \note The SSL context needs to be already set up. The right place * to call this function is between \c mbedtls_ssl_setup() or * \c mbedtls_ssl_reset() and \c mbedtls_ssl_handshake(). + * Password cannot be empty (see RFC 8236). * * \param ssl SSL context - * \param pw EC J-PAKE password (pre-shared secret) + * \param pw EC J-PAKE password (pre-shared secret). It cannot be empty * \param pw_len length of pw in bytes * * \return 0 on success, or a negative error code. diff --git a/library/ssl_tls.c b/library/ssl_tls.c index fa415a894..062ff25dd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1634,18 +1634,18 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, else psa_role = PSA_PAKE_ROLE_CLIENT; + /* Empty password is not valid */ + if( ( pw == NULL) || ( pw_len == 0 ) ) + return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); - if( pw_len > 0 ) - { - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, PSA_ALG_JPAKE ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_PASSWORD ); - status = psa_import_key( &attributes, pw, pw_len, - &ssl->handshake->psa_pake_password ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } + status = psa_import_key( &attributes, pw, pw_len, + &ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); psa_pake_cs_set_algorithm( &cipher_suite, PSA_ALG_JPAKE ); psa_pake_cs_set_primitive( &cipher_suite, @@ -1669,16 +1669,13 @@ int mbedtls_ssl_set_hs_ecjpake_password( mbedtls_ssl_context *ssl, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - if( pw_len > 0 ) + psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, + ssl->handshake->psa_pake_password ); + if( status != PSA_SUCCESS ) { - psa_pake_set_password_key( &ssl->handshake->psa_pake_ctx, - ssl->handshake->psa_pake_password ); - if( status != PSA_SUCCESS ) - { - psa_destroy_key( ssl->handshake->psa_pake_password ); - psa_pake_abort( &ssl->handshake->psa_pake_ctx ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } + psa_destroy_key( ssl->handshake->psa_pake_password ); + psa_pake_abort( &ssl->handshake->psa_pake_ctx ); + return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } ssl->handshake->psa_pake_ctx_is_ok = 1; From 61ea17d30a2da481987e634e100082fccc46062f Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 18 Nov 2022 12:11:00 +0100 Subject: [PATCH 15/19] tls: psa_pake: fix return values in parse functions Ensure they all belong to the MBEDTLS_ERR_SSL_* group Signed-off-by: Valerio Setti --- library/ssl_tls.c | 2 +- library/ssl_tls12_client.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 062ff25dd..c1436c532 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8233,7 +8233,7 @@ int mbedtls_psa_ecjpake_read_round( } if( input_offset != len ) - return PSA_ERROR_INVALID_ARGUMENT; + return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE; return( 0 ); } diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 8fcf5a4f5..7c293ec9e 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2354,7 +2354,7 @@ start_processing: if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || ( read_tls_id != curve_info->tls_id ) ) - return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA ); + return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); p += 3; From 79f6b6bb1bcbef2fb783cb43724903dea30377f7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 14:17:03 +0100 Subject: [PATCH 16/19] tls: psa_pake: fixing mbedtls_psa_ecjpake_write_round() It might happen that the psa_pake_output() function returns elements which are not exactly 32 or 65 bytes as expected, but 1 bytes less. As a consequence, insted of hardcoding the expected value for the length in the output buffer, we write the correct one as obtained from psa_pake_output() Signed-off-by: Valerio Setti --- library/ssl_tls.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index c1436c532..7b51040c4 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8259,20 +8259,27 @@ int mbedtls_psa_ecjpake_write_round( step <= PSA_PAKE_STEP_ZK_PROOF; ++step ) { - /* For each step, prepend 1 byte with the length of the data */ - *(buf + output_offset) = MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ); - output_offset += 1; - + /* + * For each step, prepend 1 byte with the length of the data. + * + * NOTE = psa_pake_output() sometimes output elements which are + * NOT 32 or 65 bytes as expected, but 1 byte less. So, instead + * of hardcoding the expected length, we + * - get the output first + * - then write the length of this output + */ status = psa_pake_output( pake_ctx, step, - buf + output_offset, - len - output_offset, + buf + output_offset + 1, + len - output_offset - 1, &output_len ); if( status != PSA_SUCCESS ) { return( psa_ssl_status_to_mbedtls( status ) ); } - output_offset += output_len; + *(buf + output_offset) = output_len; + + output_offset += output_len + 1; } } From 5151bdf46eb83823c4946c500c48bbad3b8f76e7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 21 Nov 2022 14:30:02 +0100 Subject: [PATCH 17/19] tls: psa_pake: add missing braces Signed-off-by: Valerio Setti --- library/ssl_tls12_client.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 7c293ec9e..5ff8ab4b8 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -2354,7 +2354,9 @@ start_processing: if( ( *p != MBEDTLS_ECP_TLS_NAMED_CURVE ) || ( read_tls_id != curve_info->tls_id ) ) + { return( MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER ); + } p += 3; From d4a9b1ab8d124eaf7bff20d4bfe078f4ddc09483 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 11:11:10 +0100 Subject: [PATCH 18/19] tls: psa_pake: remove useless defines and fix a comment Signed-off-by: Valerio Setti --- library/ssl_misc.h | 11 ----------- library/ssl_tls.c | 9 ++------- 2 files changed, 2 insertions(+), 18 deletions(-) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 0f43a18f4..2ff7e0c22 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2367,17 +2367,6 @@ static inline int psa_ssl_status_to_mbedtls( psa_status_t status ) #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ defined(MBEDTLS_USE_PSA_CRYPTO) -/* Currently JPAKE only supports elliptic curve secp256r1 */ -#define MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE \ - PSA_PAKE_PRIMITIVE( PSA_PAKE_PRIMITIVE_TYPE_ECC, \ - PSA_ECC_FAMILY_SECP_R1, 256 ) - -/* Expected output data size for each "step" of EC-JPAKE key echange */ -#define MBEDTLS_SSL_ECJPAKE_OUTPUT_SIZE( step ) \ - PSA_PAKE_OUTPUT_SIZE( PSA_ALG_JPAKE, \ - MBEDTLS_SSL_ECJPAKE_PSA_PRIMITIVE, \ - step ) - typedef enum { MBEDTLS_ECJPAKE_ROUND_ONE, MBEDTLS_ECJPAKE_ROUND_TWO diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 7b51040c4..5bfdde7bc 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8260,13 +8260,8 @@ int mbedtls_psa_ecjpake_write_round( ++step ) { /* - * For each step, prepend 1 byte with the length of the data. - * - * NOTE = psa_pake_output() sometimes output elements which are - * NOT 32 or 65 bytes as expected, but 1 byte less. So, instead - * of hardcoding the expected length, we - * - get the output first - * - then write the length of this output + * For each step, prepend 1 byte with the length of the data as + * given by psa_pake_output(). */ status = psa_pake_output( pake_ctx, step, buf + output_offset + 1, From 99d88c1ab488c806b4919d50301c38488f1fb478 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 22 Nov 2022 16:03:43 +0100 Subject: [PATCH 19/19] tls: psa_pake: fix missing casting in mbedtls_psa_ecjpake_write_round Signed-off-by: Valerio Setti --- library/ssl_tls.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 5bfdde7bc..4efcee067 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -8272,7 +8272,7 @@ int mbedtls_psa_ecjpake_write_round( return( psa_ssl_status_to_mbedtls( status ) ); } - *(buf + output_offset) = output_len; + *(buf + output_offset) = (uint8_t) output_len; output_offset += output_len + 1; }